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Abstract. We consider the untyped lambda calculus with constructors and recursively 
defined constants. We construct a domain-theoretic model such that any term not denoting 
_L is strongly normalising provided all its 'stratified approximations' are. From this we 
derive a general normalisation theorem for applied typed A-calculi: If all constants have 
a total value, then all typeable terms are strongly normalising. We apply this result to 
extensions of Godel's system T and system F extended by various forms of bar recursion 
for which strong normalisation was hitherto unknown. 



1. Introduction 

Extensions of typed A-calculi by data types and recursively denned higher-order func- 
tions, often called applied \- calculi, play an important role in logic and computer science. 
They are used, for example, to represent formal proofs and to give computational in- 
terpretations of logical and mathematical theories leading to relative consistency results 
and estimates of the strengths of theories in terms of their provably recursive functions 
|( aki581 |Spe62l IC^ir7H ITro73l l( : ( J 93] . They also form the theoret ical backbone of functional 
and type-theoretic proof/programming languages jea86l IPM93] . The most important and 
often also most difficult problem in the study of applied A-calculi is normalisation, i.e. the 
question whether every term can be reduced to a normal form with respect to /3-reduction 
and the rewrite rules for the extended calculus. The best possible result in this connection is 
strong normalisation, i.e. termination of every possible reduction sequence. A common pat- 
tern for proving strong normalisation for an applied A-calculus is to take an existing strong 
normalisation proof for the 'pure' underlying typed A-calculus w.r.t. /3-reduction only and 
adapt it to the applied calculus. A typical example is the strong normalisation proof for 
Godel's system T of primitive recursive functionals in simple types |God58j which can be 
obtained by adapting Tait's computability method to primitive recursion |Tro73| . Similar 
methods were applied to prove strong normalisation for the calculus of constructions ex- 
tended by inductive types [Alt93l I BJ099] . There are important extensions of system T by 
stronger recursion principles, for example Spector's bar recursion Spe62: , which also have 
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been treated using adaptations of Tait's computability method, however at the price of con- 
siderable complications. The difficulty in proving normalisation for bar recursion and similar 
recursion schemes lies in the fact that these schemes do not use a recursive descent along 
some kind of wellfounded structural ordering, but rather rely on continuity arguments and 
the ability to construct, in a suitable model, infinite sequences by nonconstructive choices. 
Since the computability method amounts to the construction of a syntactic model (built 
from strongly normalising terms) which does not satisfy these requirements, one needs to 
enrich the model, either by introducing infinite terms |Tai711 Vog85| , or by building the 
model from sets of terms instead of single terms |Bez85| . These modifications, which work 
for Spector's bar recursion, seem to fail, however, for other recursion principles which also 
rely on continuity and choice and which occur in recent work on computational interpre- 
tations of classical choice and related principles BBC98, BO05, Ber04a . An example is 
modified bar recursion (see (|2.1j) in section^. 

In this paper we present a new method for proving strong normalisation of applied 
lambda calculi which will allow us to deal with modified bar recursion and other forms of 
recursion. The method roughly proceeds as follows: Let T be a strongly normalising typed 
A-calculus. We assume that T is given as a type assignment system for untyped A-terms 
with constructors, and we require that T allows for the (nonrecursive) definition of functions 
by pattern matching on constructors. Let 1Z be a higher-order rewrite system using pattern 
matching and (possibly) recursion. Then, to prove strong normalisation for T + 1Z we 

(a) interpret the untyped terms in a strict domain model where the constants are in- 
terpreted according to 1Z, 

(b) show that any term not denoting _L is strongly normalising, 

(c) prove that all constants are total w.r.t. the notion of totality given by the typing 
discipline of T 

While, as we will see, (a) and (b) are always possible, (c) will depend on the given rewrite 
system 1Z. Now, by (c) (and the presumed soundness of the typing discipline w.r.t. the 
model) all typeable terms are total and hence 7^ _L. With (b) it follows that all typeable 
terms are strongly normalising. 

The advantages of this method lie in its generality and its manifold modularity aspects: 
First, strong normalisation of the underlying typed A-calculus can be proven separately. 
Second, steps (a) and (b) above are independent of the typing discipline and can be carried 
out for any rewrite system 1Z. The constructions and proofs involved in (a) and (b) are 
elementary (formalisable in primitive recursive arithmetic). Third, the logical and mathe- 
matical strengths of the typing discipline and the rewrite rules only enter into step (c). The 
proof of totality of the constants can usually be carried out using the intuitive argument 
why the given rewrite rules are 'semantically sound'. Fourth, the combination of different 
rewrite systems for which strong normalisation can be shown using our method preserves 
strong normalisation. This holds because our method only uses totality of the constants of 
each rewrite system separately. 

Our method appears to be similar to Plotkin's adequacy proof for PCF |Plo77j . and, in 
fact, is inspired by |Plo77j . The differences are that Plotkin intertwines the computability 
method for the simply typed A-calculus with a semantic approximation argument whereas 
we keep these arguments separate. Also, Plotkin deals with full recursion without pattern 
matching and shows weak normalisation for closed terms of ground-type only whereas our 
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recursions are of a restricted form, but we show strong normalisation for terms of arbitrary 
types. 

As mentioned above our method only applies to rewrite systems based on a restricted 
form of pattern matching. These restrictions enforce that the rewrite rules define the op- 
erational and denotational semantics of the constants in a canonical way. Hence, rules like 
distributivity or permutative conversions, which express optimisations rather than defini- 
tions, are not covered by our method. Strong normalisation results for higher-order rewrite 
rules of the latter kind are proven in |vdPS95| with a different semantic method based on 
another notion of strict functionals. 

Our paper is organised as follows. Section [21 introduces untyped A-calculi with con- 
structors and constants together with higher-order rewrite rules. As our running example 
we discuss a few primitive recursive constants and rewrite rules for modified bar recursion. 
We give an informal argument why, under the assumption that higher type functions are 
continuous, bar recursion is sound. In section |3] we define a strict domain-theoretic model 
for the calculi introduced previously. We prove that any term not denoting _L is strongly 
normalisable provided all its 'stratified approximations' are, where, roughly speaking, the 
n-th stratified approximation of a term is obtained by replacing each constant by a variant 
for which maximally n unfoldings of the recursion equations are allowed. The untyped 
result is used in section |1] to prove a strong normalisation theorem for applied A-calculi 
based on an abstract notion of a strongly normalising and total type system. We have kept 
the notion of type system as general as possible in order to prepare the ground for future 
applications of our method to a variety of type systems. In sectional we consider as an ex- 
ample Girard/Reynold's system F of second-order polymorphic A-calculus. We show that 
extending this system by higher type primitive recursion and modified bar recursion does 
not destroy strong normalisation. We also discuss some other higher-order rewrite systems 
our method applies to. 

In |Ber04h| we have worked out a special case of our method, tailored for the simply 
typed A-calculus. By giving up generality the definition of the model and the totality proofs 
then are slightly simpler. However, we feel that the greater flexibility gained by the type 
free approach of this paper is worth paying the price of technically slightly more involved 
constructions. 

Acknowledgements. The comments and the constructive criticism by two anonymous 
referees contributed significantly to an improved presentation of this work. 

2. The type free A-calculus with constructors and recursion 

We fix a set Var of variables x, y . . .. Given a set CO of constructors co and a set C of 
constants c, the set of terms A = A(CO,C) is defined by 

A 3 M, N := x | co(Mi, ...,M k )\c \ XxM | MN 

where k is the arity of co, which is fixed for each constructor. If CO is fixed, but C may 
vary, then we write A(C) instead of A(CO, C). We let FV(M) denote the set of free variables 
of a term M. 

The operational meaning of the constants c € C is given by a a set 1Z of rewrite rules 
of the form 



cP x ...P n ^ R 
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where FV(cPi . . . P n ) 5 FV(i?) and the Pi are constructor patterns, i.e. terms built from 
variables and the constructors such that no variable occurs twice in the term cP. The 
number n of arguments Pi is fixed for each constant c and is called the arity of c. We 
furthermore require the Pi to be mutually variable disjoint and the left hand sides of different 
rules to be non-unifiable. A rule of the form cP *— > R is called a rule for c. 

A conversion, M i— > N, is either a /3-conversion, (XxM)N i— >p M[iV/x], or an instance 
of a rewrite rule, i.e. La Ro~ for some rewrite rule L *— > R e 1Z and substitution a. We 
write M -^n N if TV is obtained from M by replacing one subterm occurrence of the left 
hand side of a conversion by its right hand side. 

We call a term M strongly normalising with respect to 7Z, SNn(M), if there is no infinite 
reduction sequence M — >n M\ — >n .... Equivalently, the predicate SN-ji is inductively 
generated by the single rule: 

If SN n {N) for all N such that M N, then SN n (M). 
Our goal is to prove strong normalisation for various classes of terms (which are usually 
given by typing disciplines) with respect to various rewrite systems 1Z. 

As an example consider the constructors T, F, 0, [], S, cons and the constants if, <, Ih, 
get and -4+ with the rewrite rules 



ifTxy h 


-> X 


if F x y \- 


y 


n < h 


-» F 


< S(m) h 


-> T 


S(n) < S(m) i- 


-> n < m 


lh[] H 


-» 


lhcons(x,s) h 


-> S(lhs) 


getcons(x, s) h 




getcons(x, s) S(n) h 


-> get s n 


[]++t H 




cons(x, s) ++ t h 


-> cons(x 



When assigning suitable types to these constructors and constants one obtains a subsystem 
of Godel's system T of primitive recursive functionals in finite types which is well-known to 
be strongly normalising. We are interested in stronger forms of recursion, for example bar 
recursion, which we discuss now. To improve readability will write for getMk, M*N 
for M-H- cons(A r , []) and if M then N e\seK for \fMNK. The following form of modified bar 
recursion was studied in BBC98 and BO05 : 

Qygs = y(\k.\f k < \s\ then s^ else gk(\x.$yg(s*x))) 

In order to make sense of this equation one should think of the variables being typed 
as follows: y: (nat — > p) — ► nat, g: nat — > (p — > nat) — > p, s: list(p), where p is an 
arbitrary type. A functional $ satisfying the recursion equation above was used in BBC98 
and BO05 to give a realisability interpretation of the classical (i.e. negative translated) 
axiom of countable dependent choice. Below we give an intuitive argument why, under the 
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assumption that higher type functions are continuous, the equation above is sound in the 
sense that it defines a total functional (i.e. maps total arguments to total values): 

Let g, y, s be total arguments where s = [xq, . . . , x n -i] with total Xi, and assume, 
for contradiction, that &ygs is undefined. Then the infinite sequence Xk.'ifk < 
\s\ then Xk else gk(\x.&yg(s*x))) cannot be total, so there must be some k such that 
gk(\x.&yg(s*x)) is not total. Since g is total this implies that \x.&yg(s*x) is not 
total, i.e. <fryg(s*x n ) is not total for some total x n . Repeating this argument one 
arrives at an infinite sequence of total elements xt such that $>yg[xo, . . . , x m _i] is 
undefined for all m > n. Since all Xk are total, y(Xk.Xk) must be defined. Further- 
more, since y is assumed to be continuous it will query its argument at numbers 
k smaller than some fixed number m only. But then $yg[xo, . . . , x m —i] must be 
defined as well, which is a contradiction. 
In the proof of theorem 15.41 we will repeat a slight variation of this argument in a strict 
domain-theoretic model in order to obtain strong normalisation of system F extended by 
modified bar recursion. More precisely, since turning the equation above into a rewrite rule 
would clearly not be strongly normalising, we will have to work with the following minor 
variation of modified bar recursion. We replace the conditional expression on the right hand 
side by a call of an auxiliary constant with an extra (boolean) argument in order to force 
evaluation of the test k < \s\ before the subterm &ygh(s*x) may be further reduced (Vogel's 
trick |Vog85| ). 

<&ygs i— > y(\k.^ygsk(k < \s\)) 

^ygskJ i-> s k (2.1) 

^ygskV i— > gk(\x.&yg(s*x)) 
Our results will enable us to easily show that all terms that are typeable in system F (under 
a suitable typing of the constructors and constants) are strongly normalising with respect 
to the rewrite rules above. 

3. A DOMAIN-THEORETIC MODEL FOR STRONG NORMALISATION 

By a domain we mean a Scott domain, i.e. a consistently complete algebraic domain 
with an effective base [GLSH93 !A J94j . The least element of a domain D is denoted 
(or _L, if no confusion is possible) and (or C) denotes the domain ordering. D — > E 
denotes the domain of continuous functions from D to E. Note that J-d^e = Aa G D.^Le- 
If X is an effectively given countable set, then X±_ denotes the flat domain X U {_L} where 
all elements of X are maximal and _L(^ X) is the least element. For any domain D we 
let D x be the domain of all functions from X to D, ordered pointwise. For a continuous 
function /: D k — > E we define the strict version, strict(/) : D k — > E, by strict(/)(a) := 
/(a) if _L ^ a, strict(/)(a) := _!_ otherwise. Clearly strict(/) is again continuous and 
strict(/) C /. Moreover, strict(.) is itself a continuous function on the domain D k — > E. 
We will also use Maybe(£>) := D + l = {Just(d) [ d G D} U {Nothing} U {_L} where 1 denotes 
some 1-element domain and, in general, D\ + . . . + Dk denotes the usual separated sum of 
domains which has as carrier the disjoint union of the Di plus a new bottom element and 
is ordered in the expected way. 

Given a system CO of constructors we define the domain D by the recursive domain 
equation 

D = Z coeCO D 3 "^ + (D^D) 
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The existence of a solution to such an equation is guaranteed by the fact that in the 
category of domains and embedding/projection pairs the separated sum and the continuous 
function space construction are continuous functors (co-variant in all arguments) and all 
such functors have initial fixed points (up to isomorphism). By the definition of D every 
element of D \ {_L} is either of the form co(a) with a G _D ant y( co ), or of the form abst(/) 
with / G D — > D, and there are continuous functions abst: (D — > D) — > D, app: D 2 — > D 
and case: D — > (CO U {abst})^ as well as for each constructor co of arity k continuous 
functions co : D k — > D and co^ 1 : D — > D (i = 1, . . . , k) such that 
(i) case(co(a)) = co, case(abst(/)) = abst, 



If / G D k — > D, then abst(/) stands for abst(Aai G D. . . . abst(Aafc G D.f(a±, . . . ,afc)). 
Similarly, app(a, b\, . . . ,bk) abbreviates app(. . . app(a, b\) . . . , &&). We define for each term 
M <E A(C) the strict denotational semantics [M] : D c -> D Var ->• D by 



[ x ] a v = 7]{x) 

[c] a r] = q(c) 

[Xx M] a rj = strict(abst)(Aa G D.[M] a 7]^) 

[MN] a 7] = strict(app)([M] a r ? [iV] a r/) 

[co(Mi, . . . , Mk)] a rj = strict(co)([M 1 ] a r ? ,...,[M fe ] Q r ? ) 



The soundness of this definition rests on the fact that domains and continuous functions 
form a cartesian closed category. 

Lemma 3.1. Let M,N G A(C), a G D c , r? G ,D Var ; 0: C —> C, a' G L> c '. 

(a) If a(c) = _l_£> /or some constant c in M, then [M] a = ± D \/ ar . 

(b) [M[AT/x]] a r? = [M] a r]% where a := [N] a n. 

(c) [M^] a ' = [M] Q '° e (M0 := M[0(c)/c | c G C\). 

(d) [(AxM)JV] C [M[N/x]}. 

Proof, (a-c) are proved by easy inductions on M. (d) follows from (b): Let a := [N] a rj. 
Then [(AxM)iV] a 7/ C app(abst(A6 G D.[M] a ^),a) = [M] a 7]^. = [M[N/x]] a r]. ' □ 

Next we define the constant assignment an G D c naturally associated with a rewrite 
system 1Z. The values a-ji(c) G D are defined by a simultaneous recursion, i.e. an is the least 
fixed point of a certain continuous operator on the domain D c . For a constant c without 
any rule in 1Z we set a^(c) := _L. The definition of a^(c) for constants with at least one rule 
requires some preparation. For every vector P = Pi, . . . , P^ of variable disjoint constructor 
patterns we define a continuous 'inverse' P _1 : D fe — > Maybe(D Var ). The definition is by 
recursion on the number of constructors in P. x~ l (a) := Just(_L^), where -L|(xj) = Oj, and 



(ii) co^ (co(a)) = a«, 

(iii) app(abst(/), 6) =/(&). 





if case(6) G (CO \ {co}) U {abst} 
if case(o) = _L 



Lemma 3.2. 



(a) Ifp- 1 



(a) = Just(r/) and P and Q are non-unifiable, then Q 1 (a) G {_L, Nothing}. 
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(b) p- l {[Pa] a r]) = [a] a r] where [o-] a n(x) := [a(x)] a r). 

Proof. Easy inductions on the number of constructors in P. □ 

By lemma EOl (a), the condition that the left hand sides of different rules for the same 
constant are non-unifiable implies that for every constant c of 7^-arity k and every a E D k 
there is at most one rule cP i— > R E TZ such that P~ 1 (a) = Just(r/) for some 77 E D Var . This 
guarantees the soundness of the following definition of the values of a constant c with at 
least one rule in TZ: a-n(c) := abst(/) where /: D k — > D is defined (recursively) by 

{[R] a ^ri ifcP^ReTZ and P _1 (a) = Justfa) 
dummy if P" 1 ^) = Nothing for all cP h-> R E TZ 
_L otherwise 

Here dummy is some fixed element of D whose value will be irrelevant in this section. How- 
ever, when applying our construction to a particular type system (Section |5J), we will have 
to choose dummy in such a way that it lies in the intersection of all denotations of types 
(note that dummy is independent of the type that might be associated with the constant c). 
We set 

[M] n := [M] a * 

Lemma 3.3. If M -> N, then [M) n r] C [N] n rj. 

Proof. Induction on M. 

If M N, then we use lemma ETT1 (d). 

Consider the case of a constant conversion, i.e. cPa — > Ra. Set a := [Pcr]^"rj = [P]^j/ 
where tj'(x) := ^(x)] 7 ^^, bv lemma l3.1l (b). By lemma l3.2l (b). P~ l (a) = Just(^'). Therefore, 
[cPa] 71 !] C app(a7?.(c), a) E [R] n r]' = [Ra} n r], again by lemma l3~T1 (b) . 

All other cases (conversion of a proper subterm) follow immediately from the induction 
hypothesis and the fact that the functions strict(abst), strict(app) and strict(constr) 
are monotone. □ 

The key to our first normalisation result is the approximation of a given rewrite system 
by a 'stratified' rewrite system, that is a rewrite system where no recursion occurs. More 
precisely, let 1Z be a rewrite system for a given term system A(C) and define inductively a 
constant c E C to be stratified (w.r.t. TV) if for every rule cP\ . . . P n 1— > R E TZ the term 
R is stratified, i.e. contains stratified constants only. Roughly speaking, stratified rewrite 
systems allow nothing more than to define functions by pattern matching and case analysis 
on constructors. TZ is called stratified if all constants are stratified w.r.t. TZ. 

Let TZ be an arbitrary rewrite system for a system of constants C. For every constant 
c E C and each n E N let c n be a new constant and set := {c n \ c E C,n E N}. For every 
term M E A(C) and n E N let Mr n i E A^^) be the term obtained from M by replacing 
every constant c by c„. We define a stratified rewrite system for by 

TZ U := {c n+1 P ^ R [n] \ cP ^ R E TZ, n E N} 

In the following we let M, N, . . . range over A(C) while A, B, . . . range over K{C U ). We write 
A ^ M if replacing in A each constant c n by c yields M. In particular Mr n i -< M. 

Lemma 3.4. If A ^ M and A contains no constant of the form cq, then to every C-term 
N such that M — >n N there is a C^-term A such that A — B and B < N . 



Proof. Easy induction on M. 



□ 
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Lemma 3.5. [M] n = |_| n [M[ n ]] w "\ 

Proof. By definition, an is the least fixed point of the continuous functional Tfi : D c — ► D c 
defined by Tn(a)(c) := J_ if there is no rule for c in TZ, otherwise Tn(a)(c) := abst(/) 
where / : D k — > D is defined by 

{[R} a n if cP^ ReTZ and P _1 («) = Justfa) 
dummy if P -1 (a) = Nothing for all cP i-> R e ft 
_L otherwise 

Set a n (c) := a^(c n ). We show 

a n = I%(±) (3.1) 
by induction on n. For n = both sides are _L (the left hand side = _L because there are 
no rules for constants of the form Co). If there is no rule for c in TZ, then both sides of 
are again _L. Let now c be a constant with at least one rule in TZ. By induction hypothesis 
we have r^ +1 (_L)(c) = abst(/ n ) where 

[R] an rj if cP i-> R G TZ and F -1 («) = Justfa) 
/n(o) := < dummy if P" 1 ^) = Nothing for all cP i-> P e ft 
_L otherwise 

(note that the definitions of the functions / and / n above and the definition of / after 
lemma l3~2*l differ in the constant environment under which the term R is evaluated). Since by 
lemmaO(c), [P] a "r/ = [P[„]]^ry (a n = a n °0 n where n (c) := c n ) it follows r" +1 (_L)(c) = 
a^(c„) = a„(c). Now, since an is the directed supremum of the T^(_L) it follows, by 
continuity of the evaluation function [M], equation Q3.1JI and lemma l3~Tl (c), 

[M] n = |J[M]W = |J[Mr = \J[M [n] ] a - 

n n n 

□ 

Theorem 3.6. If [M]^ ^ _L and all Mr n i are strongly normalising w.r.t. TZ U , then M is 
strongly normalising w.r.t. TZ. 

Proof. Assume [M]^ ^ _L. By continuity we have [M] r rcW J_ for some n. By lemma 13*31 
it follows [Mr n ]] Q "7/ ^ _L for some n. Since, by assumption, My is strongly normalising 
w.r.t. TZ W it suffices to show: 

If SN nu (A), [A] a ^ _L and A<M, then SN W (M). (3.2) 

We show this by induction on SN^(A). Assume the hypotheses of (|3.2j) . We need to show 
that all one step reducts of M are strongly normalising. So, assume M — >n N. Since 
[A] a / 1 we know, by lemma l3~T1 (a), that A contains no constant of the form cq. By 
lemma EU it follows that A —>n w B with B ■< N for some B. By lemma "3~3l (applied to 
1Z W ), [B] a j^z _|_ ; hence we can apply the induction hypothesis to B and N. □ 
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4. Strong normalisation via typing 

In many cases the premises of theorem l3.6l can be proven for terms that are typeable in a 
certain type system. Our main example will be second-order polymorphism (system F), but 
any type system that meets a few natural conditions would do as well. These conditions are 
isolated in the following notions of an (abstract) strongly normalising type system and the 
notion of totality of a type system with respect to a type interpretation. The former notion 
is the requirement that all typeable terms are strongly normalising for /3-conversion plus any 
stratified type-sound rewrite system. For a given type system this slightly stronger notion 
of strong normalisation can usually be obtained by a simple modification of the known proof 
of strong normalisation for /3-conversion (for example Guard's candidate method). 

Concerning strong normalisation we clearly may restrict our attention to the set Aq(C) 
of closed terms in A(C). 

A type system consists of a set T of types and a family of ternary relations \~c Q 
T c x Ao(C) x T (indexed by constant systems C) which is stable under type respecting 
constant substitutions, that is, 

if A h c M : p and A = A' o 0, then A' h c , MB : p, 

for any A G T c , M G A (T), p G T, 9 : C -» C and A' G T c ' . 

A term M G A (C) is called typeable w.r.t. A G T c if A h c M : p for some p G T. A 
rewrite system 1Z for A(C) is type-sound w.r.t. A G T c if A he XxL: p implies A \~c XxR: p 
for every rule L i— > R G 7£ with FV(L) = x and p G T. The type system T, h is called strongly 
normalising if for any set of constants C, any type assignment A G T c and any stratified 
type-sound rewrite system 7Z for A(C) all typeable closed terms are strongly normalising 
w.r.t. 7Z. 

Next, we consider possible semantics of types in the model D introduced in the previous 
section. Since the value of a closed term does not depend on a variable assignment, we may, 
for closed terms M, set [M] a := [M] a n where r\ G D Var is arbitrary, for example r/ := _L. 
A type interpretation for T is a mapping that assigns to every type p G T a subset [p] of 
£>\{-L} such that whenever A h c M: p and a(c) G [A(c)J for every c G C, then [M] a G fpj. 

In the following we will call a G Z? c total if a(c) G [A(c)J for all c G C. Similarly we 
will call a £ D total if a G [p] provided p is clear from the context. 

Theorem 4.1. Let T, h 6e a strongly normalising type system and [•] : T — > 'P(Z) \ {X}) a 
type interpretation. Let A G T c 6e a type assignment and 1Z a type-sound rewrite system 
such that an is total. Then all typeable closed terms are strongly normalising w.r.t. 1Z. 

Proof. Assume A he M: p. Since a-n is total it follows that [M] a?J is total, i.e. a member of 
[p], and hence different from _L. Define the constant substitutions 9 n : C — > (n G N) and 
6': Cu C by n (c) := c n and 0'(c n ) := c. Note that M6> n = M [n] . Set A' := A o 9'. Since 
A = A' o 9 n it follows A' hc^ M0 n : p for every n G N. Furthermore, the stratified rewrite 
system 7^ is type-sound w.r.t. A' G T c " . This can be seen as follows: Assume A' h XxL : p 
for some rule L t— > i? G 72.^ with FV(L) = x. Since A' = A o 0' it follows A h XxL9' : p. 
But L#' i— > i?0' G 7£. Hence A h XxR9' : p, since 7£ is type-sound. Since L i— > R G 7£ w we 
have -R = RB'9 n for some n. But this implies A' h XxR: p. Since we have shown that TZ W is 
type-sound, and since M9 n is typeable and T, h is assumed to be strongly normalising, it 
follows that M9 n is strongly normalising w.r.t. TZ^ for every n G N. Hence both premises of 
theorem 13.61 are satisfied and we may conclude that M is strongly normalising w.r.t. 1Z. □ 
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5. Applications 

As an example of an applied A-calculus we consider system F extended by lists and 
constants with rewrite rules based on pattern matching. We consider the same set of 
constructors CO = {T, F, 0, [], S, cons} as in section ^ but leave the set of constants C 
unspecified for the moment. Given a set TV of type variables p,p%,..., the set of (open) 
types is defined by the grammar 

p, a := p | boole | nat | list(yo) | p — > a \ Vp p 

A context is a mapping T from a finite set dom(T) of object variables to the set of types, 
written as x\ : px, . . . ,x n : p n . The rules for the inductive definition of the typing judgments 
A,T h c M: p, where A G T c , T is a context, M G A(C) and p G T, are displayed in 
Figure E 



c G C 

A,F,x: ph c x: p A,T h c c: A(c) 

A,T,x: p \~c M: a A,T h c M : p -> a A,T \- c N: p 

A,T h c Xx.M: p->a A,T h c MN: a 

A,T h c M:p , 4 , , A,T h c M:\fpp 

1 ' (p not free in T) ' 



A,rh c M:Vpp y ' A,T h c M: p[a/p] 



A,T h c T: boole A,rh c F: boole 
A,T h c M: nat 



A,rh c 0:nat A, T h c S(M) : nat 

A,rh c M:p A,T h c N: list(p) 



A, r h c : list(p) A) p hc CQns(M) N) . |jst(p) 

Figure 1: The typing rules for extended System F 

We let To be the set of closed types and define 

A \~c M: p : ^ A, h c M: p and p G T Q 
Proposition 5.1. (7o,h ) is a strongly normalising type system. 

Proof. Clearly (To, h F ) is a type system. In order to see that it is strongly normalising one 
easily adapts the proof of strong normalisation for system F as given, for example in |Bar92j 
(which is based on Girard's proof |Gir71| in the A-calculus version due to Tait |' I hi 75] ). so as 
to accommodate stratified rewrite systems. We leave details to the reader. A corresponding 
proof for simple types is worked out in detail in |Ber04b| . □ 

Our next task is to interpret types in the domain D defined in section |21 (for the specific 
set of constructors CO above). We define the element dummy G D, which was left unspecified 
in section |2J recursively by 

dummy = abst(Aa G D. dummy) 



STRONG NORMALISATION FOR APPLIED LAMBDA CALCULI 



11 



We set B := {T, F} U abst(D), where abst(D) := {abst(cf) | d € D}, and N := the least 
subset of D that contains {0}Uabst(Z?) and is closed under the constructor S. Furthermore, 
for a subset iCDwe set list(A) := the least subset of D that contains {nil} U abst(D) 
and contains with d also cons(a, d) for every a € A. Finally, for A, B C D we set A — > B := 
{abst(/) £ D \ \/a £ D (a £ A —> f(a) € B)}. Set 

V{D) :={ACD\ dummy e A, ± g A} 

Note that V(D) contains B,N and is closed under arbitrary nonempty intersections and 
under the operations A i— > Iist(v4) and (^4, -B) i—» A — » S (it is precisely the latter closure 
condition together with the requirement that the intersection of all types has to be nonempty 
that leads to the somewhat mysterious definition of dummy). 

For every type p G T and type variable assignment r: TV — * V(D) we define [p]r € 
V(D) by recursion on p: 

\p\ T = r(p) 
[boole]r = I 
[nat]r = N 
[list(p)]r = liTt(Ip]r) 
fp^ajr = Mr-. Mr 

[Vpp]r = Q M T / 
A<=V{D) 

Lemma 5.2. [.], restricted to closed types, is a type interpretation for (7q,\- f ). 

Proof. Call 77 £ D Var total for a type assignment r: TV — > V{D) and a context T if r/(x) € 
[r(p)]r for every x G dom(r). By a straightforward induction on typing derivations one 
shows that if A,T he M: p, then [M] Q ?7 G \p\ T f° r all r an d all a, 77 that are total for 

A,r. ' ' □ 

Now let C consist of the constants if, <, In, get, +f, <£, ^ and a constant for every higher- 
type primitive recursive functional. Let MBR be the rewrite system consisting of the 
rewrite rules of section |21 and the usual rewrite rules for primitive recursion. The typing A 
for the constants is as expected. For example, writing c: p for A(c) = p, 



if 


Vp .boole — 


-> p — > p 






< 


nat — > nat 


— > boole 






Ih 


\/p .list(p) - 


-> nat 






get 


Vp .list(p) - 


-> nat — > p 






+f 


Vp .list(p) - 


-> list(p) -> 


list(p) 






Vp.((nat - 


► p) — > nat) 


-((p- 


-> nat) — > p) — > list(p) — > nat 




Vp.((nat - 


> p) — > nat) 




-» nat) — ► p) — > list(p) — > nat — > boole — > p 



Lemma 5.3. MBR is type-sound for \- F and A. 



Proof. Immediate, by inspection of the rewrite rules. 



□ 
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Theorem 5.4. System F extended by Godel primitive recursion and modified bar recursion 
is strongly normalising. 

Proof. By theorem l4.ll proposition l5.1l and lemmas l5.2l and lS31 it suffices to show that ombr 
is total. The proof of totality of q;mbr(c) for constants c G {if , <, Ih, get, +f} and, more 
generally, any primitive recursive constant is easy and left to the reader. In the following 
we will write c instead of q;mbr(c), a(b) instead of strict(app)(a, b) and Xx.e instead 
of strict(abst)(Ax.e). We will also write [xq, . . . ,x n -i] for cons(xo, • • • , cons(x n _i, nil)) 
and call such objects proper lists. According to the rewrite rules for <& and ^ we have 
= abst((/?) and ^ = abst(^) where for total arguments y,g, s, k 

tp(y,9,s) = y(Xk.tp(y,g,s,k,k < lh(s))) 

ip(y,9,s,k,J) = get(g,k) 

ip(y,g,s,k,F) = g{k,\x.ip(y,g,s*x))) 

ip{y, g, s, k, b) = dummy, if case(6) G {CO \ {co}) U {abst} 

More precisely, since $ and have universal types, we chose an arbitrary set A G V{D) and 
take y G (N -> A) -> N, g G (A -> N) -> A, s G list(A), and show <p(y,g,s) G N. We may 
assume that s is a proper list, i.e. s = [xq, . . . , x n _i] with Xi & A (i < n), because for other 
s G list(A) we clearly have (p(y,g, s) = dummy G N. Assume <p(y,g, s) $ N. Then there must 
be some k G N such that k < I h (s) = F and tp(y,g, s, k, F) ^ A. The latter can only happen 
if (p(y, g, [xq, . . . , x n -i, x n ]) N for some x n G A. Repeating this argument one obtains an 
infinite sequence of elements x n , x n+ i, . . . such that each X{ G A and ip(y, g, [xo, . . . , x m ]) $ N 
for any m>n. Define a continuous function / : D — > D 

( x m if£ = S m (0) 
f(k) := < dummy if k = S m (abst(a)) for some m G N and a£D 
I _L otherwise 

Clearly abst(/) G N — > A. Hence y(abst(/)) G N. Since \a.y{a) is continuous and N 
is an open subset of D there is a finite (compact) approximation /o / 1 of / such that 
y(abst(/o)) = y(abst(/)). From the first equation for ip it follows that there is some m > n 
such that for s' := [xq, . . . ,x m ] we have abst(/o) E Xk.tp(y, g, s' ,k, k < lh(s')). Therefore 
<p(y,g,s') = y(\k.ifi(y, g, s' ,k,k < lh(s'))) G N which is a contradiction. □ 

We conclude with a brief discussion of other rewrite systems which have been used to 
interpret strong classical analytical principles and for which our method works as well. In 
BBC98) the following recursion was considered, which can be viewed as a more efficient 
'demand driven' variant of modified bar recursion. As with modified bar recursion we use 
an auxiliary constant replacing the if-then-else construct used in BBC98, Ber04a : 

&ygs i— > y(Xn.^ygs(n G dom(s))) 

^ygsJ ^ f[n] (5.1) 
^ygsF i — ► gn(\z.<fryg(s*(n, z))) 

where y: (nat — > p) —> nat, g: nat — > (p — > nat) — > p and s: (nat x p)* is to be viewed 
as the graph of a finite function with n G dom(s) and s[n] having the expected meanings. 
In |Ber04a| it was shown that (|5.1j) can be derived from the following principle of open 
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recursion (again formulated with an auxiliary constant): 

$ya i— > ya(\n, z.^yanz(z~<an)) 

^yanzT i— > \"/.&y(an*z@~/) (5-2) 
^/yanzF i— > A7.O 

Here -< : p x p — > boole is (the graph of) a wellfounded relation, a, 7 : nat — > p, an = 
[aO, ...,a(n — 1)] and s@7 = A/c.if/c < |s| then else7&. So, $ is recursively called with 
arguments of the form an*z@'j, which are lexicographically smaller than a. Note, however, 
that the lexicographic ordering on infinite sequences is not wellfounded. Both recursions, 
(|5.1|) and (|5.2j) have the proof-theoretic strengths of full second order arithmetic. Their 
significance rests on the fact that they can be used to give rather direct realisability in- 
terpretations of strong classical theories: 1)5. 1JI realises classical countable choice BBC98 , 
while (|5.1j) realises open induction |B.erQ4al ■ a principle closely related to Nash- William 
minimal-bad-sequence argument |NW63j . 

By theorem 14.11 and the results of this section, the strong normalisability of system F 
plus the recursions above boils down to showing that the interpretations of (|5.1j) and 1)5. 2 Jl 
are total. The totality of (|5.2[) can be shown by open induction. To prove totality of (|5.1[) 
it is easiest to use the reduction to 1)5.2)1 given in |Ber04a| . 
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